Secure Coding mailing list archives
RE: Protecting users from their own actions
From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Wed, 07 Jul 2004 01:31:23 +0100
In Ken van Wyk's cited article at http://www.esecurityplanet.com/views/article.php/3377201 he writes...
As I said above, user awareness training is a fine practice that shouldn't be abandoned. Users are our first defense against security problems, and they should certainly be educated on how to spot security problems and who to report them to. By all means, teach your users to be wary of incoming email attachments. Teach them to keep their anti-virus software up to date, and their firewall software locked down tight. Do not, however, be shocked when they make the ''wrong'' choice.
I would contend that in any sufficiently large user population the probability that someone will open up a suspect attachment approaches one. In fact, I think that in a sufficiently large population, this probability approaches 1 even if: 1) the e-mail were from a complete stranger; 2) the name of attached file was "i_am_a_worm_that_will_destroy_your_harddrive.exe". (#2 assuming that your mail filter didn't catch something so obvious -- and it it didn't, time to revise your filtering rules! ;-) So, I completely agree that we ought to EXPECT that users will do foolish things (with malice or out of ignorance--I'm not trying to make a moral judgement here) and thus we need to be prepared to practice "security in depth". However, (repeating here, from above) Ken also wrote...
... Teach them [users] to keep their anti-virus software up to date, and their firewall software locked down tight.
I'm not sure why this is something that should be left up to users. Isn't this something that users probably shouldn't be given a choice on? Normally I would think that corporate security policy dictate keeping the AV software / signatures up-to-date as well as dictating the (personal) firewall configurations. Some centrally administered software should do these things. I don't think that (except under very rare circumstances), users should even be given a _choice_ about such things. While that may seem Draconian to some, thats what works best in practice. Cheers, -kevin --- Kevin W. Wall Qwest Information Technology, Inc. [EMAIL PROTECTED] Phone: 614.215.4788 "The difference between common-sense and paranoia is that common-sense is thinking everyone is out to get you. That's normal -- they are. Paranoia is thinking that they're conspiring." -- J. Kegler
Current thread:
- Protecting users from their own actions Kenneth R. van Wyk (Jul 06)
- <Possible follow-ups>
- RE: Protecting users from their own actions Wall, Kevin (Jul 06)
- Re: Protecting users from their own actions Kenneth R. van Wyk (Jul 07)